Energy grid operators warned of vulnerabilities that could give up control

LAS VEGAS — Operators of the nation’s energy grid were alerted Aug. 2 of vulnerabilities in industrial control systems that could allow attackers to damage or take control of systems.

The alert was the result of research reported Aug. 3 at the Black Hat Briefings, in which attacks against programmable logic controllers were demonstrated. Eliminating the bugs in systems that contain legacy equipment, decades old in many cases, will not be easy, said Tim Roxey of the North American Electric Reliability Corp., which issued the alert.

“It’s a mid- to long-term job at minimum,” Roxey said at at press conference.

The problem exists not only in the power distribution industry but in almost all industrial control systems, researchers said.

"Almost all PLC vendors do not require a password to send instructions to a controller,” said John Pollet of Red Tiger Security, one of the researchers who revealed the bugs. “This is a systemic problem for all control system vendors.”

Threats to control systems became evident with the discovery last year of the Stuxnet worm, which targeted specific Siemens controllers used in Iran’s nuclear facilities. But the wider threat of such an attack has been played down because of the complexity of Stuxnet and the money, time and resources believed to be needed to create it.

Security researcher Dillon Beresford set out to test that assumption and managed to produce a proof-of-concept attack in a matter of months for about $10,000.

“This shows it is not only nation-states that have this capability,” Beresford said. “It is now in the hands of researchers and it is only a matter of time before the criminal element gets access to it.”

The problem is that control systems have become standardized and networked, and functionality has been emphasized over security. Beresford exploited weaknesses in access control that allowed him to deliver commands to controllers.

“We are making the same mistakes over and over,” said Tom Parker of Securicon. The researchers called for standards of security to be enforced for industrial control systems.





About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Aug 5, 2011

Why on earth are these systems on the (semi)public internet in the first place? Just like the Feds have SIPR which is air-gapped from the rest of internet, private critical systems need to be on a locked-down network that people on the outside can't even see.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above